SUMMARY

This article describes how to configure Microsoft Internet Information Services (IIS) Web site authentication in Windows Server 2003. You can configure IIS to authenticate users before they are permitted access to a Web site, a folder in the site, or even a particular document contained in a folder in the site. Authentication in IIS can be used to strengthen the level of security on sites, folders, and documents that are not to be viewed by the general public.

Authentication in IIS is critical when resources are not meant for anonymous or public access, but when the Web server must be accessible to approved users over the Internet. Examples of Web site applications that require authentication access control include Microsoft Outlook Web Access (OWA) and the Microsoft Terminal Services Advanced Client.

How to configure Authentication in IIS

Start IIS Manager or open the IIS snap-in.

Expand Server_name, where Server_name is the name of the server, and then expand Web Sites.

In the console tree, right-click the Web site, virtual directory, or file for which you want to configure authentication, and then click Properties.

Click the Directory Security or File Security tab (as appropriate), and then under Anonymous and access control, click Edit.

Click to select the check box next to the authentication method or methods that you want to use, and then click OK.

The authentication methods that are set by default are Anonymous access and Integrated Windows authentication:

Anonymous access: When anonymous access is turned on, no authenticated user credentials are required to access the site. This option is best used when you want to grant public access to information that requires no security. When a user tries to connect to your Web site, IIS assigns the connection to the IUSER_ComputerName account, where ComputerName is the name of the server on which IIS is running. By default, the IUSER_ComputerName account is a member of the Guests group. This group has security restrictions, imposed by NTFS file system permissions, that designate the level of access and the type of content that is available to public users. To edit the Windows account used for anonymous access, click Browse in the Anonymous access box.

Important If you turn on anonymous access, IIS always tries to authenticate users by using anonymous authentication first, even if you turn on additional authentication methods.

Integrated Windows authentication: Formerly named NTLM or Windows NT Challenge/Response authentication, this method sends user authentication information over the network as a Kerberos ticket, and provides a high level of security. Windows Integrated authentication uses Kerberos version 5 and NTLM authentication. To use this method, clients must use Microsoft Internet Explorer 2.0 or later. Additionally, Windows Integrated authentication is not supported over HTTP proxy connections. This option is best used for an intranet, where both the user and Web server computers are in the same domain, and administrators can make sure that every user is using Internet Explorer 2.0 or later.

Note If multiple authentication options are selected, IIS tries to negotiate the most secure method first, and then it works down the list of available authentication protocols until a mutual authentication protocol is supported by both client and server.

Digest authentication for Windows domain servers: Digest authentication requires a user ID and password, provides a medium level of security, and may be used when you want to grant access to secure information from public networks. This method offers the same functionality as basic authentication. However, this method transmits user credentials across the network as an MD5 hash, or message digest, in which the original user name and password cannot be deciphered from the hash. To use this method, clients must use Microsoft Internet Explorer 5.0 or later.

If you turn on digest authentication, type the realm name in the Realm box.

Basic authentication (password is sent in clear text): Basic authentication requires a user ID and password, and provides a low level of security. User credentials are sent in clear text across the network. This format provides a low level of security because the password can be read by almost all protocol analyzers. However, it is compatible with the widest number of Web clients. This option is best used when you want to grant access to information with little or no need for privacy.

If you turn on basic authentication, type the domain name that you want to use in the Default domain box. You can also optionally enter a value in the Realm box.

Microsoft .NET Passport authentication: .NET Passport authentication provides single sign-in security, which provides users with access to diverse services on the Internet. When you select this option, requests to IIS must contain valid .NET Passport credentials on either the query string or in the cookie. If IIS does not detect .NET Passport credentials, requests are redirected to the .NET Passport logon page.

Note When you select this option, all other authentication methods are unavailable (appear dimmed).

Another type of authentication is based on the requesting host instead of on user credentials. You can limit access based on source IP address, source network ID, or source domain name. To configure this type of authentication, follow these steps:

Under IP Address and Domain Name Restrictions, click Edit.

Do one of the following:

To deny access, click Granted Access, and then click Add. In the Deny Access On dialog box that appears, specify the option that you want, and then click OK.

The computer, group of computers, or domain that you specified is added to the list.

To grant access, click Denied Access, and then click Add. In the Grant Access On dialog box that appears, select the option that you want, and then click OK.

The computer, group of computers, or domain that you selected is added to the list.

Click OK.

Click OK, and then quit IIS Manager or close the IIS snap-in.

Troubleshooting

You may be prompted to apply any changes that you have made to existing sites. If you want the authentication changes applied to other content, click the content from the list of child nodes, and then click OK. If you do not want the changes applied to any of the child nodes, do not select any items on the list, and then click OK.

In IIS, you can set authentication options at the Web site, directory, or file level. The same principles that are discussed in this article apply to each.